The 2013 Pwnie Nominee For Best Client-Side Bug

Microsoft Internet Explorer VML (CVE-2013-2551)

Credit: VUPEN

At CanSecWest last March, VUPEN dropped their exploit for an integer overflow in array resizing of a Vector Markup Language (VML) element property. Do not be fooled by the version of this exploit in Metasploit that uses heap sprays and Java to bypass DEP and ASLR. VUPEN’s exploit needed neither before gaining code execution in IE10 on Windows 8.